Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 506E Routing from Inside Interface network To outside interface network

Reply
Thread Tools

PIX 506E Routing from Inside Interface network To outside interface network

 
 
marti314
Guest
Posts: n/a
 
      08-04-2005
I have a PIX 506E in which I want to route from a device on the inside
interface subnet to a device on the outside interface subnet. Here is
an example of what i want to do:


192.168.1.5 --> Computer on 192.168.1.0/24 network
192.168.1.1 --> IP address of inside interface on PIX


192.168.1.5 uses 192.168.1.1 as default GW
------------------------------*------------------------------*-----
192.168.2.5 --> Computer on 192.168.2.0/24 network
192.168.2.1 --> IP address of the outside interface on PIX


192.168.2.5 uses 192.168.2.1 as their gateway


I want to be able to communicate between subnets using the PIX as a
router. Basically I want 192.168.1.5 to be able to talk to 192.168.2.5

and vice versa.


Can someone please tell me if this is possible, and if it is, what
would the routing statements on the pix look like?

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-05-2005
In article <(E-Mail Removed) .com>,
marti314 <(E-Mail Removed)> wrote:
:I have a PIX 506E in which I want to route from a device on the inside
:interface subnet to a device on the outside interface subnet. Here is
:an example of what i want to do:

:192.168.1.5 --> Computer on 192.168.1.0/24 network
:192.168.1.1 --> IP address of inside interface on PIX
:192.168.1.5 uses 192.168.1.1 as default GW

:192.168.2.5 --> Computer on 192.168.2.0/24 network
:192.168.2.1 --> IP address of the outside interface on PIX
:192.168.2.5 uses 192.168.2.1 as their gateway

:I want to be able to communicate between subnets using the PIX as a
:router.

That isn't possible.

: Basically I want 192.168.1.5 to be able to talk to 192.168.2.5
:and vice versa.

:Can someone please tell me if this is possible,

No. There is no way to turn off Adaptive Security in PIX 5.x or PIX 6.x,
so the closest you can get is to allow connections in both directions.

What's the difference? Well, suppose that 192.168.2.5 had a TCP connection
open with 192.168.1.5, and that the connection was closed. Suppose
192.168.2.5 then tried to send further TCP packets to that port
(e.g., a "half-closed" situation.) Then if the PIX was acting as
a router, it would go ahead and pass on the packets, and 192.168.1.5
would do whatever it wanted with them (e.g., throw them away.)
However, because you cannot turn off the Adaptive Security Algorithm,
the PIX is going to discard those packets instead of routing them.

You can use the PIX to have regular normal connections between the
two sides, but you can't have the PIX act as a router in the
normal sense of the word.


:and if it is, what
:would the routing statements on the pix look like?

static (inside,outside) 192.168.1.5 192.168.1.5 netmask 255.255.255.255

access-list out2in permit ip host 192.168.2.5 host 192.168.1.5
access-group out2in in interface outside

Notice the lack of 'route' statements. You do not need any
'route' statements on the PIX for communications between the
IP range of the inside and outside interfaces.

You *might* need to put a route statement into the WAN router, but
probably not, as the PIX will proxy ARP 192.168.1.5 when configured
as above.


Note: you wouldn't -usually- configure in this way. -Usually-
you would configure something more like

static (inside,outside) 192.168.2.4 192.168.1.5 netmask 255.255.255.255
access-list out2in permit ip host 192.168.2.5 host 192.168.2.4
access-group out2in in interface outside

In this configuration, 192.168.2.5 asks to talk to 192.168.2.4
and the PIX internally converts the destination to 192.168.1.5 .
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet) kyoo Cisco 22 04-12-2008 03:37 PM
pix 501 - Problem Routing Requests from inside to outside networks RG Cisco 2 11-27-2007 03:12 PM
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
inside-outside-inside issue on PIX 506E Dan Rice Cisco 9 02-04-2005 12:04 AM
PIX: how to allow 1 host from outside interface to access another host on the inside interface? jonnah Cisco 1 04-21-2004 02:26 PM



Advertisments